A Short Proof of the PRP/PRF Switching

Lemma

Donghoon Chang1⋆ and Mridul Nandi2

1
Center for Information Security Technologies (CIST)
Korea University, Seoul, Korea
dhchang@cist.korea.ac.kr
2
CINVESTAV-IPN, Mexico City
mridul.nandi@gmail.com

Abstract. In Eurocrypt 2006, Bellare and Rogaway [2] gave a proof of

the PRP/PRF switching Lemma using their game-based proof technique.
In the appendix of the same paper, they also gave an proof without
games. In this paper, we give another proof of the switching lemma,
which is simple and mathematically-clear and easy to uderstand. Our
proof is based on the strong interpolation theorem.

Keywords : PRF, PRP, Switching Lemma.

1 Some Notations and Results

This section is almost same as that of [3].

Counting. Let F := Func(n, n), the set of all functions f : {0, 1}n → {0, 1}n.
And let P := Perm(n, n), the set of all permutations f : {0, 1}n → {0, 1}n. It is
n
easy to see that |F | = 2n2 and |P| = 2n !. Now, for any distinct ai ’s and any
distinct zi ’s, the number of functions f such that f (a1 ) = z1 , · · · , f (aq ) = zq
n
is exactly 2n(2 −q) because, the outputs of q elements are fixed and the rest
(2n − q) many outputs can be chosen in (2n )(2 −q) many ways. Similarly, for
n

any distinct ai ’s and any distinct zi ’s, the number of permutations f such that
f (a1 ) = z1 , · · · , f (aq ) = zq is exactly (2n −q)!. Thus, Pru [u(a1 ) = z1 , · · · , u(aq ) =
1
zq ] = 2nq where u is the uniform random function on F (an uniform ran-
dom variable taking values on F ). And Prπ [π(a1 ) = z1 , · · · , π(aq ) = zq ] =
1 1 1
2n × 2n −1 · · · 2n −q+1 where π is the uniform random permutation on P (an uni-
form random variable taking values on P).

View. In this paper we consider a distinguisher A which has access of an ora-

cle O. We assume that A is deterministic and computationally unbounded. We
⋆
The first author was supported by the MIC(Ministry of Information and Communi-
cation), Korea, under the ITRC(Information Technology Research Center) support
program supervised by the IITA(Institute of Information Technology Advancement)
(IITA-2008-(C1090-0801-0025))
assume that all queries are distinct and it makes at most q queries to the oracle
O. Suppose A makes ai as O-query and obtains responses zi , 1 ≤ i ≤ q. The
tuple v = ((a1 , z1 ), · · · , (aq , zq )) is called as the view of A. We also denote vO
to specify that the view is obtained after interacting with O. We define the first
i query-response pairs of the tuple v by vi = ((a1 , z1 ), · · · , (ai , zi )).

Advantage. Let F, G be probabilistic oracle algorithms. We define advantage of

the distinguisher A at distinguishing F from G as

AdvA (F, G) = |Pr[AF = 1] − Pr[AG = 1]|.

Theorem 1. (Strong Interpolation Theorem) If there is a set of good views

Vgood such that

1. for all v ∈ Vgood , Pr[vF = v] ≥ (1 − ε) × Pr[vG = v] and

2. Pr[vG ∈ Vgood ] ≥ 1 − ε′

then for any A we have AdvA (F, G) ≤ ε + ε′ .

Proof. This is directly from the idea explained in [1].

2 a short proof of PRP/PRF Switching Lemma

Lemma 1 (PRP/PRF Switching Lemma). Let n ≥ 1 be an integer. Let A

be a distinguisher that asks at most q oracle queries. Then

q(q − 1)
|Pr[Au = 1] − Pr[Aπ = 1]| ≤ ,
2n+1
where u is the uniform random function on F and π is the uniform random
permutation on P.

Proof. Our proof is based on the strong interpolation theorem. The organization
of our proof is as follows. First, we define a set of good views Vgood and give
a lower bound of Pr[vF = v] for all v ∈ Vgood , where F is u. And we give an
upper bound of Pr[vttG = v] for all v ∈ Vgood , where G is π. Then, we compute
ε and ε′ such that for all v ∈ Vgood , Pr[vF = v] ≥ (1 − ε) × Pr[vG = v] and
Pr[vG ∈ Vgood ] ≥ 1 − ε′ . Finally, based on Theorem 1 (strong interpolation the-
orem), we conclude that |Pr[Au = 1] − Pr[Aπ = 1]| ≤ ε′ + ε.

– Vgood is a set of good views v = ((a1 , z1 ), · · · , (aq , zq )) such that ai ’s are

distinct and zi ’s are also distinct.
1
– For all v ∈ Vgood , Pr[vu = v] = 2nq .
1
– For all v ∈ Vgood , Pr[vπ = v] = 2n × 2n1−1 · · · 2n −q+1
1
= 2−nq × 1−1 1n × · · · ×
2
1 1 1
≤ 2−nq × = 2−nq × .
1− q−1
2n 1− 1+2+···+(q−1)
2n 1− q(q−1)
2n+1
 1
– For all v ∈ Vgood , Pr[vu = v] ≥ (1 − ε) × Pr[vπ = v] ⇐ 2nq ≥ (1 − ε) × 2−nq ×
q(q−1)
1
q(q−1) ⇔ 1 − 2n+1 ≥ 1 − ε ⇐ ε = q(q−1)
2n+1 .
1− 2n+1
– Pr[vπ ∈ Vgood ] = 1 ⇔ ε′ = 0
q(q−1)
Therefore |Pr[Au = 1] − Pr[Aπ = 1]| ≤ ε′ + ε = 2n+1 .

References
1. D. J. Bernstein. A short proof of the unpredictability of cipher block chaining.
http://cr.yp.to/antiforgery/easycbc-20050109.pdf , 2005.
2. M. Bellare and P. Rogaway, Code-Based Game-Playing Proofs and the Security of
Triple Encryption, Advances in Cryptology - Eurocrypt’06, LNCS 4004, Springer-
Verlag, pp. 409-426, 2006.
3. D. Chang and M. Nandi, Improved Indifferentiability security analysis of chopMD
Hash Function, Appears in FSE’08.